-
Notifications
You must be signed in to change notification settings - Fork 2
/
2334-x3-adxsrv.nse
64 lines (51 loc) · 1.34 KB
/
2334-x3-adxsrv.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
local nmap = require "nmap"
local shortport = require "shortport"
local string = require "string"
description = [[
Checks if an X3 AdxSrv service is present and vulnerable to a directory disclosure
vulnerability.
]]
---
-- @see
-- @usage
-- nmap -p 50000 --script x3-adxsrv.nse <target>
--
-- @output
-- 50000/tcp open
-- |x3-adxsrv-vuln: VULNERABLE
-- |_Directory returned-> C:\Sage\SafeX3\AdxAdmin
author = "@deadjakk"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "vuln"}
portrule = shortport.port_or_service ({50000,1818,1895,1819}, "Sage X3", {"tcp"})
action = function( host, port )
local socket = nmap.new_socket()
local status, err = socket:connect(host, port)
if not status then
return
end
local auth = "\x09\x00"
local adx_dir_msg = "\x07\x41\x44\x58\x44\x49\x52\x00"
socket:set_timeout(5000)
socket:send(auth)
status, line = socket:receive_bytes(4)
if not status then
return
end
-- checks for indicator of authorization
if not string.sub(line,1,2) == "\x00\x00" then
return
end
socket:send(adx_dir_msg)
local status, line = socket:receive_buf("AdxAdmin",true)
if not status then
return
end
if not line then
return
end
if status then
return "VULNERABLE\nDirectory returned-> " .. string.sub(line,5,-1)
end
return
end